我是 AWS 的新手,尝试使用 lambda 函数创建 EBS 快照,但遇到权限错误。
错误:
> Error Creating Snapshot An error occurred (UnauthorizedOperation) when
> calling the CreateSnapshot operation: You are not authorized to
> perform this operation. User:
> arn:aws:sts::Account-id:assumed-role/LambdaEC2SnapshotRole/lambdaEc2Snapshot
> is not authorized to perform: ec2:CreateTags on resource:
> arn:aws:ec2:us-east-1::snapshot/* because no identity-based policy
> allows the ec2:CreateTags action.
在浏览了一些博客和这个之后 仅创建快照的 AWS 策略,我为 lambda 创建了以下策略,但仍然面临相同的错误。您能就可能出现的问题提出建议吗?
代码
import json
import boto3
import logging
from datetime import datetime
logger = logging.getLogger()
logger.setLevel(logging.INFO)
BASE = pathlib.Path().resolve()
lambda_client = boto3.client("lambda")
def handler(event, context):
myec2 = boto3.client("ec2")
current_date = datetime.now().strftime("%Y-%m-%d")
print("Hey hello")
try:
response = myec2.create_snapshot(
Description = "My Ec2 Daily Snapshot",
VolumeId = "vol-0ce1640002f882ad1",
TagSpecifications = [
{
"ResourceType": "snapshot",
"Tags": [
{
"Key": "Name",
"Value": f"My Ec2 Snapshot {current_date}"
}
]
}
]
)
logger.info(f" Successfully Created Snapshot {json.dumps(response, default=str)}")
except Exception as e:
logger.error(f"Error Creating Snapshot {str(e)}")
我制定的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:DescribeInstances",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
感谢 luk2302 指出问题,我的政策声明中缺少 ec2:CreateTags,下面是我更新的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:DescribeInstances",
"ec2:DescribeVolumes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*"
}
]
}
下面的文档也很有帮助.. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/supported-iam-actions-tagging.html